With World IPv6 Launch, IPv6 on by default will be the new normal

IPv6 deployment is gaining momentum as World IPv6 Launch on June 6 approaches …

Some "technologies of the future" stubbornly remain in the future and resist becoming technologies of the present. Case in point: fusion energy. For a long time, IPv6 seemed to fall into that category. But now, could it finally be for real? Anyone who missed the memo: current IP addresses are 32 bits long and are running out. IPv6 fixes this with addresses that are 128 bits long. But this only works when you actually run IPv6. Last year, some big players did exactly that for one day as a test. This year, the idea is to leave it on.

I'm at the 83rd IETF meeting in Paris this week (the same Internet Engineering Task Force that created IPv6 in the first place in the 1990s). I went to my first IETF meeting in 2002. Back then there was a lot of IPv6 work going on, although there was plenty of IPv6 skepticism heard in the hallways. A decade later, IPv6 is a given. Only when I try to check Dutch news sites to see if we still have a government do I notice that I'm on the IPv6-only WiFi network. All the IETF-related pages and tools are available over IPv6 as a matter of course. That isn't to say no IPv6-related work is going on, but that work happens in maintenance and operations working groups. In fact, the IETF leadership is now thinking about chartering a "v4exit" working group to focus on an orderly shutdown of the old IPv4 protocol.

In the meantime, World IPv6 Launch looms large. It's coming to a worldwide computer network near you on June 6. Last year, Akamai was one of the prominent participants in World IPv6 Day, which failed to kill the Internet last year. There was some more work to be done, however. Akamai explained to Network World that, as of April, the content delivery network is finally ready for IPv6.

Cisco and the Internet Society (ISOC) used the Paris meeting for a near-impromptu lunch get-together, talking about what some of the big World IPv6 Launch participants are doing. ISOC's Phil Roberts, moderator of the panel, kicked things off by saying that "IPv6 'on by default' is the new normal."

IPv6 World Launch Day panel

Iljitsch van Beijnum

In response to questions from the audience, Time Warner Cable and Comcast representatives talked about what the new normal means to them. As part of World IPv6 Launch, they've committed to have one percent of their customers using IPv6 by June 6. But as 30 percent of their consumers use Windows XP (which doesn't have IPv6 enabled out of the box) and 70 percent have a non-IPv6-capable home router, they need to enable IPv6 on a rather significant number of subscriber connections to hit that seemingly unambitious one percent. New Comcast and Time Warner Cable users—and also many existing users—will gain IPv6 connectivity over the next three months, and more after that. However, different cities will get it at different times.

So far, Comcast has provided IPv6 connectivity only to Windows Vista/7 and OS X 10.7 users who connect their computer directly to a DOCSIS 3 cable modem. But they're now also going to delegate an entire range of IPv6 addresses to IPv6-capable home routers, which can then hand out these addresses on their LAN ports and over Wi-Fi. And IPv6-support is even coming to selected DOCSIS 2 modems. Both cable operators will be giving out /64 prefixes, which is the size used on a single subnet. In other words: you can't daisy chain home routers or have separate IPv6 home and office networks separated by a router or firewall. The rationale for this decision is that some home routers may be confused by a larger address block, and current ones have no use for such a bigger block, anyway. But bigger address blocks may be given out at some point in the future.

Speaking of home routers, Cisco, the new home of Linksys, has a lineup of routers that have IPv6 enabled by default. The same is true for D-Link. These IPv6-enabled home routers are set up to request a range of addresses on their WAN side and redistribute those on the LAN side. This way, IPv6-capable systems automatically get both IPv4 and IPv6, while everything else continues to use IPv4 as usual.

Last year, most of the focus of the World IPv6 Day 24-hour trial run was on big websites. These are again joining the party this year, but they won't remove their server's IPv6 addresses from the DNS again after the 24 hours is up. Google's Lorenzo Colitti is looking forward to welcoming that one percent of IPv6 users from the participating ISPs on the Google servers. He stressed that publishing IPv6 addresses in the DNS permanently this year is only realistically possible after World IPv6 Day. It showed that it was possible to enable IPv6 for the whole Internet without significant impact.

So even though ISOC has yet to get any mobile networks on board, as of early June, network operators should expect a significant increase in IPv6 traffic. And that will be just the beginning. It's the new normal, after all. Here at Ars we're going to prepare for World IPv6 Day with an article explaining how you can enable IPv6 in your own (home) network. If you have any questions about that, let us know in the comments.

In your article, can you cover how to set it up if you're running a cisco IOS device for your home router? Also, lets say you have internet facing servers statically nat'd through that router. And you use an internal DHCP server instead of having the router do it. And the router actually trunks a few VLANs to a cisco switch which is where distribution occurs. And do we need to make allounces for wireless devices that friends bring in that might not be IPv6 capable? If you could cover that it'd be swell. I'm a bit lost right now.

In response to questions from the audience, Time Warner Cable and Comcast representatives talked about what the new normal means to them. As part of World IPv6 Launch, they've committed to have one percent of their customers using IPv6 by June 6. But as 30 percent of their consumers use Windows XP (which doesn't have IPv6 enabled out of the box) and 70 percent have a non-IPv6-capable home router, they need to enable IPv6 on a rather significant number of subscriber connections to hit that seemingly unambitious one percent. New Comcast and Time Warner Cable users—and also many existing users—will gain IPv6 connectivity over the next three months, and more after that. However, different cities will get it at different times.

And do we need to make allounces for wireless devices that friends bring in that might not be IPv6 capable? If you could cover that it'd be swell. I'm a bit lost right now.

Not really. All modern mobile devices since at least the original iPhone have IPv6 support, just disabled by default. For that, you just send a tiny firmware update that enables them. For the rare devices that don't have IPv6 at all, you just give them a 4to6 tunnel.

And do we need to make allounces for wireless devices that friends bring in that might not be IPv6 capable? If you could cover that it'd be swell. I'm a bit lost right now.

Not really. All modern mobile devices since at least the original iPhone have IPv6 support, just disabled by default. For that, you just send a tiny firmware update that enables them. For the rare devices that don't have IPv6 at all, you just give them a 4to6 tunnel.

You think it will be easy to get firmware updates for 2007-era Android devices?

Oh boy, I can't wait for Verzion to tell me "go away kid" again when I ask if they can enable V6 on FiOS. I've been using a tunnel broker for over a year now but I'd much prefer native support from Verzion.

And do we need to make allounces for wireless devices that friends bring in that might not be IPv6 capable? If you could cover that it'd be swell. I'm a bit lost right now.

Not really. All modern mobile devices since at least the original iPhone have IPv6 support, just disabled by default. For that, you just send a tiny firmware update that enables them. For the rare devices that don't have IPv6 at all, you just give them a 4to6 tunnel.

You think it will be easy to get firmware updates for 2007-era Android devices?

Most mobile networks do some form of NAT already, don't they? In the short term, they might just set their NAT for 6to4 conversion.

will tor work over IPV6? I'm not a user, but I can imagine that if every device has a unique IP, it may become much harder to anonymize traffic.

It won't do much to anonymity in torrenting. To take legal action, plaintiffs will still need to get an ISP to match a random bunch of characters to a real life person.

Despite the confusingly similar names, tor and torrenting are two very different things with very different use cases.

I'm not a tor expert but it shouldn't affect anything that I can think of. A very large portion of tor users would already have a unique IP for their home and even if they don't it's not like the ISP can't sort out who's who if they've been asked to help unmask a tor user. The anonymization comes from proxying through other tor nodes.

I've said it before, and I'll say it again. "Providing" the "ability" to use IPv6 will accomplish absolutely nothing, except to technical people who will be happy that they feel that have achieved some wonderful end unto itself.

The only way IPv6 will gain any sort of acceptance is when money talks, i.e., companies demonstrate that there is money to be made by abandoning IPv4, or companies figure out they are losing money by sticking with IPv4 and not adopting IPv6.

At this point, that's not happening. World IPv6 Day and World IPv6 launch are nice events, but that's all...they are events.

I like to be behind NAT. I would still want to be behind NAT even with IPv6. Having a public IP scares me.

There's a range of private addresses even in IPv6, and you can still NAT. It just might not be your ISP that NATs you. Personally I kind of like the idea of each device having a public address, anonymity issues aside. It's more like what the internet was supposed to be before Real Life got in the way.

I dont see NATs going away, nor do I see ipv4 going away anytime soon - especially behind NAT... For most people this is going to be a REALLY slow change IMO

Well, the problem for ISP's is that unless they assign every user a pool of adresses v6 will have to rely on NAT anyway, if I look at my own situation then I need at least 8 IP adresses right off the bat and then i'm not even counting giving friends who come and stay Internet access. If there's a way to do that then I think v6 will take off but until then its use will be very limited.

Well, they said they're giving out /64 subnets. Which seemed ridiculous to me, but I have 4 devices on my home network at any given time, and I don't even have a smart phone. At the point where you need more than 64 addresses, you should be ordering a business service. Or else it's the future everyone's talking about, where your toaster needs its own IP. And at that point I agree with the NAT lovers out there, I'll want at least a secure by default firewall between my toaster and the public internet. People be burning my house down by hacking my toaster...

I dont see NATs going away, nor do I see ipv4 going away anytime soon - especially behind NAT... For most people this is going to be a REALLY slow change IMO

Well, the problem for ISP's is that unless they assign every user a pool of adresses v6 will have to rely on NAT anyway, if I look at my own situation then I need at least 8 IP adresses right off the bat and then i'm not even counting giving friends who come and stay Internet access. If there's a way to do that then I think v6 will take off but until then its use will be very limited.

IPv6 standard REQUIRES at least a /64. You will have at least 18,446,744,073,709,551,616 IP address for you and your friends.

Well, they said they're giving out /64 subnets. Which seemed ridiculous to me, but I have 4 devices on my home network at any given time, and I don't even have a smart phone. At the point where you need more than 64 addresses, you should be ordering a business service. Or else it's the future everyone's talking about, where your toaster needs its own IP. And at that point I agree with the NAT lovers out there, I'll want at least a secure by default firewall between my toaster and the public internet. People be burning my house down by hacking my toaster...

I'm at 30 devices at my last scan.

I'm also on comcast business. Did you know they'll sell it to you, even if you're not a business? I really wish they'd get it enabled though, I've been asking for years.

For those who have used it, how do they push it? Stateless Autoconfig? DHCPv6? Or do they just mail you the IP block?

Well, they said they're giving out /64 subnets. Which seemed ridiculous to me, but I have 4 devices on my home network at any given time, and I don't even have a smart phone. At the point where you need more than 64 addresses, you should be ordering a business service. Or else it's the future everyone's talking about, where your toaster needs its own IP. And at that point I agree with the NAT lovers out there, I'll want at least a secure by default firewall between my toaster and the public internet. People be burning my house down by hacking my toaster...

Well, /64 gives you far more than 64 addresses. I personally think it's a huge waste of IP addresses even with the overabundance that IPv6 gives. It is better than the scheme we're running now though.

I'm hoping for the day where I can hack into my dryer and find out where that sock-monster lives so I can get a bunch of single socks back!

Well, they said they're giving out /64 subnets. Which seemed ridiculous to me, but I have 4 devices on my home network at any given time, and I don't even have a smart phone. At the point where you need more than 64 addresses, you should be ordering a business service. Or else it's the future everyone's talking about, where your toaster needs its own IP. And at that point I agree with the NAT lovers out there, I'll want at least a secure by default firewall between my toaster and the public internet. People be burning my house down by hacking my toaster...

You can take some comfort in the fact that if your devices are scattered around randomly inside the /64, then even when you give away your PC's address by connecting to a website, scanning your entire /64 to find everything in your house would not be terribly practical. Even Dan Kaminsky can't scan that much internets on a whim. That being said, I would also want my home to have a unified firewall.

My husband and I were able to come up with 19 IP-enabled devices in our apartment, and we know someone who has 41. The idea that there will be homes and small business with a hundred or more in the future is not ridiculous and the IPv6 /64 allocations are designed to be future-proof for as much future as we care to contemplate.

Well, they said they're giving out /64 subnets. Which seemed ridiculous to me, but I have 4 devices on my home network at any given time, and I don't even have a smart phone. At the point where you need more than 64 addresses, you should be ordering a business service. Or else it's the future everyone's talking about, where your toaster needs its own IP. And at that point I agree with the NAT lovers out there, I'll want at least a secure by default firewall between my toaster and the public internet. People be burning my house down by hacking my toaster...

I'm at 30 devices at my last scan.

I'm also on comcast business. Did you know they'll sell it to you, even if you're not a business? I really wish they'd get it enabled though, I've been asking for years.

For those who have used it, how do they push it? Stateless Autoconfig? DHCPv6? Or do they just mail you the IP block?

"Stateless Autoconfig"

Your local router broadcasts your prefix and the client just picks a random /64 suffix. If said random IP is in use, try again. The chance of collision is low, so that shouldn't happen often.

And do we need to make allounces for wireless devices that friends bring in that might not be IPv6 capable? If you could cover that it'd be swell. I'm a bit lost right now.

Not really. All modern mobile devices since at least the original iPhone have IPv6 support, just disabled by default. For that, you just send a tiny firmware update that enables them. For the rare devices that don't have IPv6 at all, you just give them a 4to6 tunnel.

You think it will be easy to get firmware updates for 2007-era Android devices?

Most mobile networks do some form of NAT already, don't they? In the short term, they might just set their NAT for 6to4 conversion.

Can you just NAT IPv6 down to IPv4? I'd think you'd need to dual stack your router and just let the IPv4 mobile devices go the old route while the rest of your internal network would go the new route. Otherwise you probably would need an access point that had an 4to6 tunnel option for devices not speaking IPv6.

With my current setup (AT&T DSL, FreeBSD 7.x router doing PPoE to a DSL modem), I can't keep a functional IP stack running for more than a day - often less than an hour. Each time, I need to reboot the FreeBSD box and the IPv4 address changes. (I need to go to FreeBSD 9.x - or Linux.)

If AT&T doesn't give me a FIXED /64 network, that will mean that my INTERNAL LAN connectivity will be messed up every time the link bounces - unless I continue to run IPv4 for internal connectivity.

When I had Comcast, I kept the IPv4 address for weeks - even months.

Last time I checked (last year), IPv6 plans at work are limited due to the additional load IPv6 puts on routers - and there isn't enough of a budget to replace the campus backbone routers for an upgrade (it's a big network.)

Well, they said they're giving out /64 subnets. Which seemed ridiculous to me, but I have 4 devices on my home network at any given time, and I don't even have a smart phone. At the point where you need more than 64 addresses, you should be ordering a business service. Or else it's the future everyone's talking about, where your toaster needs its own IP. And at that point I agree with the NAT lovers out there, I'll want at least a secure by default firewall between my toaster and the public internet. People be burning my house down by hacking my toaster...

I'm at 30 devices at my last scan.

I'm also on comcast business. Did you know they'll sell it to you, even if you're not a business? I really wish they'd get it enabled though, I've been asking for years.

For those who have used it, how do they push it? Stateless Autoconfig? DHCPv6? Or do they just mail you the IP block?

"Stateless Autoconfig"

Your local router broadcasts your prefix and the client just picks a random /64 suffix. If said random IP is in use, try again. The chance of collision is low, so that shouldn't happen often.

That would be how I'd push IPs internally (though it sounds like I'll have to use DHCPv6 to push DNS servers to the hosts as well). But how is the prefix being assigned to the router from comcast?

Well, they said they're giving out /64 subnets. Which seemed ridiculous to me, but I have 4 devices on my home network at any given time, and I don't even have a smart phone. At the point where you need more than 64 addresses, you should be ordering a business service. Or else it's the future everyone's talking about, where your toaster needs its own IP. And at that point I agree with the NAT lovers out there, I'll want at least a secure by default firewall between my toaster and the public internet. People be burning my house down by hacking my toaster...

You can take some comfort in the fact that if your devices are scattered around randomly inside the /64, then even when you give away your PC's address by connecting to a website, scanning your entire /64 to find everything in your house would not be terribly practical. Even Dan Kaminsky can't scan that much internets on a whim. That being said, I would also want my home to have a unified firewall.

My husband and I were able to come up with 19 IP-enabled devices in our apartment, and we know someone who has 41. The idea that there will be homes and small business with a hundred or more in the future is not ridiculous and the IPv6 /64 allocations are designed to be future-proof for as much future as we care to contemplate.

"That being said, I would also want my home to have a unified firewall"

^ This

Modern IPv6 firewalls use uPNP to open ports and block ports by default. This is the same as how someone can play games and use P2P w/o manually setting their firewall, except you now get your own IP.

NATs themselves provide absolutely no security. What actually adds security to a NAT is the fact that a NAT requires tracking state which is usually done by a stateful firewall. The firewall is where all of your security comes from, not the "hiding". IPv6+Firewall is at least as good as IPv4+NAT. In general, it will be better just because of the HUGE address space.

Plus NAT is not an industry standard, it is a bandaid. This means nearly every NAT is implemented differently. You don't know if you'll get a "properly" implemented NAT that is secure or a low-bidder crunch-time Jr programmer slapped together some code that worked "good enough", but is littered with security holes.

With a NAT, you don't know what you're going to get as the whole point of NAT is to work in an "undetermined" way. A stateful firewall has very strict cases, so they're much easier to test and implement.

Iljitsch van Beijnum / Iljitsch is a contributing writer at Ars Technica, where he contributes articles about network protocols as well as Apple topics. He is currently finishing his Ph.D work at the telematics department at Universidad Carlos III de Madrid (UC3M) in Spain.